Pri-Nav-gP

Make Your Passwords More Powerful: Lessons from a Locksmith

Take a deep breath and accept your password alone isn’t much protection. Your 2FA approach is better, but still not 100% effective. Your password is a doorlock and your 2FA is a deadbolt. A door lock and a deadbolt deter, but don’t prevent, break-ins. Until companies implement some ideas I wrote about recently, there are some things you can do to protect yourself. These are things we do to protect our homes — where all our non-digital stuff usually resides.

Why is the front door open?

My home was never burglarized, but my car was a few years ago. I’ve seen enough movies to know where the story starts. You put the key in the door and then realize the door is already open. Something is not right.

Just like with your online account, you need to be mindful of anything out-of-place. Sure Facebook changes all the time, but you should still keep an eye out for things that don’t make sense. Some examples are, a new friend you don’t remember or, being added to a group you don’t remember joining. Facebook actually warns you about suspicious access, but people too often ignore those email messages as spam. Phishing attempts try to mimic legitimate websites, but usually there’s a “tell”. Something isn’t right, but too often you ignore it because you’re busy.

That’s just like the person who says “Oh well, I must have left the door open”. No you didn’t! If something looks amiss, that’s when you open the door very carefully and become very aware. In the movies and TV, the person ignores their instinct and the plot thickens. Yes the call is coming from inside the house, but next time don’t go in!

For your online accounts, the problem is determining the difference between a phishing attempt and a legitimate security threat. The best approach is to change your password when anything looks out-of-place, even if you’re sure it’s phishing. That should be a warning, “Hey someone may be stealing passwords, time to change mine”. Obviously you shouldn’t follow the link on a phishing email. Treat it like a call claiming to be from the credit card company and wanting your private information like you SSN or account number. Never trust the person calling you. Instead, call the number on the back of your card. If you get an email from Yahoo asking to change your password, ignore the links in that email. Access your account the usual way and change your password.

A Wall is Safer than A Door or Window

That was an adage a locksmith told me. If there’s a door or window, that means it can be broken into. Walls are a bit harder to break through. If you aren’t using a door to the outside, it’s time to remove it. The digital equivalent of this is to limit the online accounts you create. The more accounts you have out there, the more you’re exposed. Every time you create an online account, you put your digital identity slightly more at risk. Unless you are sure that you’re going to buy from a company again, use the guest checkout. The fewer databases you’re on, the less you put your identity at risk. Sure, you’ll always need some accounts, but being mindful of whether you need to create an account each time should help.

Check those Locks: A Digital Password Audit

Every year I try to do a digital audit. I do this around tax time — which is the same time I check my credit report. I go through my password manager and do some cleaning up looking for the following things.

1 – Delete accounts I no longer use: I tried something, didn’t like it, so it’s time to close the account. Before I close the account, I change the password just in case it does get broken into. We have guides on leaving most popular web services like Facebook, Instagram, Twitter, and LinkedIn which you should follow any time you want to close them.

2 – Change passwords on all sites I use. It’s a pain, but when that database gets broken into, it will be a bigger pain. Again, my locksmith friend reminds me to change my home locks every so often. I can’t remember who I gave keys to, so it’s time to start from scratch.

3 – Review security options: as online security threats grow, companies are adding additional options. Two-factor is the obvious thing to look for, too. Enable it on every online service that offers it.

4 – Disable unused authorizations: Dropbox, Facebook and a ton of other services in the cloud let third parties either access their services or use the services through an API. That means they can threaten your Gmail account without ever having access to your password. Some of these are necessary (I’m a big fan of IFTTT), but I audit those permissions and remove services I no longer use.

Wait Before Installing a New App or Software

I enjoy trying out new programs just like everyone else. Rogue programs slip through all sorts of app stores, so I wait a few weeks before putting software on a trusted device (I have test equipment, well, for testing). The same is true for web services. There’s no real harm in waiting to make sure a program is legitimate and isn’t riddled with security holes. Testing is fine, but test on a test machine, not production equipment.

Until technology fully frees us from passwords, a little due diligence can prevent or at least, contain, the inevitable security breaches.

More Reading:

About Dave Greenbaum

Based in Kansas, Dave Greenbaum runs his own computer repair business. He's written for GigaOM and Lifehacker and now writes for us as well.

2 Responses to Make Your Passwords More Powerful: Lessons from a Locksmith

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

Biometrics are password-dependent. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

OK, so I have signed up on all kinds of websites and different accounts. Some, I remember, most, I have no idea. Is there anyway to generate a list of places I signed up? I have had the same e-mail for almost 20 years and I don’t really want to change it.